Protect folder from external requests - asp.net

Im working with asp.net 2.0, and i have a folder into my application path ~/Data/ with some .mdb files.
I would like to protect this folder from external request like http://www.whatever.com/Data/whatever.mdb
But i would need to give any permission to my application, cause im using OleDBConnections agains the ~/Data/ Path.
What could be the best way to protect this folder?
Kind Regards.
Josema.

In IIS manager and remove at least anonymous access if not all access. Your application code can continue to use its contents but HTTP requests can not access it.

If possible in your situation, another option would be to place the mdb files outside of the website. For example, something like this directory structure:
/ MyProject
/ Data
- whatever.mdb
/ www
- Default.aspx
where www is the actual root of your website. That way, users will never be able to access the mdb files from the browser, while you can still use OleDBConnections against the mdb files. To my knowledge this is pretty secure, and this way you can't accidentily forget to disallow access in IIS.

Did you check if it actually is a problem?
I'm using ASP.NET 3.5 here but the default App_Data folder is shielded for downloading. Maybe you should just follow the guidelines and verify.
As for the other answers about moving Data outside your Web folder, that usually won't work when you use a hosting provider.

Related

Access to the path 'C:\Sites\content\ServerIpAddress.txt' is denied

I create a web site that in Default web page of it i try to access to ServerIpAddress.txt file that is on server . now when i run my project on local host it work correctly , but when I upload it on Server(free host) i face with
error. can some one help me ?
You most likely do not have permissions access files on the shared server due to security issues. Consider moving data from that file to web.config app key.
or access the file as a relative path to your site. The remote sever will most likely not have the same folder structure as your local machine.
The account that is being used for the worker process of the web site has no (write)access to the file.
Configure the file (or folder) so that the ASP.NET process has access.
Another thing to look at is whether or not the path as stated in the code is the actual path on the server.
give full permission to ServerIpAddress.txt file. it will work.
Right click on content folder. Click Properties. Then from General tab uncheck the Read-only checkbox.
Then go to Security tab and Allow Write permission for your ASP.NET process.
Are you using a database? In that case how did you set up permissions for app_data folder? You have to set permissions in the same way.
If you are not able to do that, try moving the file inside of app_data folder and then check.
Right click on .txt file and select security and add network service .restart iis and try.It will work.

opening folder in web site structure in Windows

I am trying to set up a hyperlink to open a Windows Explorer, so that it can display a folder on the web server that is within the web site.
So in IIS, we have inetpub/MyWebSite/subFolder/Data/
I would like to allow for a web page hyper link to open the folder /Data
I can set up a user account on the web server and only provide access to this folder. I can use ASP Membeship to restrict access here, and/or assign the Network Service acccount access.
I don't really care who can see this folder as anything that gets placed in here will only be temporary, and nothing is "Mission Critical" just a file that the web site will read and write to and then it gets deleted.
Any and all ideas and suggestions will be tested.
Thanks for any help.
Build a representation of the folder's contents (using a DirectoryReader and CSS) and display that. Don't actually try to display the physical folder.
this sounds like FTP, and if it's on an intranet, why not create a share? much less work.

Limiting file download based on access level on asp.net

I have a web app made in asp.net mvc3. There is a facility to upload and download files using the application. Uploaded files will be stored in some folder under web root. I want allow downloading files to those who have access to the files only. No one should be able to download the file by directly pasting in the file URL.
I use shared hosting with limited IIS access. So what would be the best way to achieve this?
How are you storing the data on the access rights currently? It sounds like you are not going to be able to make use of IIS to control access to your files and will have to handle it yourself.
As this is the case, rather than link to the file directly you should store the files outside of your web root and then handle requests coming in for files through ASP.NET MVC using a GET method. At that point you can check the user's credentials, and if they have access you can serve the file.
I'm not too familiar with it, but it looks like ASP.NET MVC makes serving up files very easy with the ability to return a FileContentResult, supported by the Controller.File method (documentation here).
This blog post looks like a great start, and you would just need to insert your credential-checking logic into the Get method.

asp.net log files permissions

Our asp.net app writes errors to a text log file in the web sites root folder. This has lead to all sorts of permission problems, different flavors of IIS and windows allow different things by default.
So what I am wondering is there a location somewhere in Windows where all types of users can write a file without any extra permissions that will also work for all IIS and flavors of windows?
I am thinking of the ApplicationData folder, but did this exist in Server 2003 ?
Thanks,
AJ
The easiest solution would be to use the App_Data subfolder of your web application for this. By default it's not viewable from the web, so Internet clients won't be able to read the logs.
Depending on your deployment method, you might have to change the permission to allow write access to this folder (to the user under which your web application is running).
Alternatively, there is a place where every user can write to: It's that user's temporary folder, which you can access through Path.GetTempPath. This, however, does not sound like a suitable location for log files.
You should always first think about wwwroot folder (%systemdrive%\inetpub\wwwroot) because it has the required permission.
The permission you need is to set a full control for IIS_IUSRS
Edit: you can simply give Everyone Full Control (not recommended at all) but this solves most of ntfs permissions issues with IIS

ASP.NET MVC - Website paths

I am using a 3rd party component which creates settings files based on hard-coded file paths i.e. they are compiled into the DLL e.g.
%APPDATA%\Vendor\Settings.ini
I have created a few console/service applications that use this and work very well. However, I am now trying to use a similar approach via my ASP.NET MVC web application and the settings file never seems to write out!
Usually if the application is running under my acconut for example the file would be written to somewhere like:
C:\Documents and Settings\James\Application Data\Vendor\Settings.ini
So I thought if the website AppPool was running under the same account the file would be saved to the same place....However, it never appears. The account is an admin account running under Windows server 2003.
Any ideas?
Thanks.
Have you checked to see if the settings file is created in the App_Data folder in the web application? If not, could you put an existing settings file there and see if it uses it?
It's not about the webpool account, it's about guest user's account.
Go to the properties of your site in IIS, Directory Security and in the anonymous access click on the Edit button, there you'll see wich account is been used when someone access your site.
Couldn't find a solution to this, so I decided to develop a local WCF service (which would create the settings file in the correct directory path) and just accessed it via my web application.

Resources